[240] in linux-security and linux-alert archive
switching symlinks on atrun
daemon@ATHENA.MIT.EDU (Thomas Koenig)
Wed May 24 13:59:08 1995
To: linux-security@tarsier.cv.nrao.edu (linux-security)
Date: Wed, 24 May 1995 14:16:52 +0200 (MET DST)
From: Thomas.Koenig@ciw.uni-karlsruhe.de (Thomas Koenig)
A mention on bugtraq just made me aware of a potential problem
with at/atrun:
/var/spool/atrun is owned by a non - root userid, usually bin.
If somebody broke into bin, he could then execute a shell script
owned by root with root permissions, via a
ln -s /bin/rootscript /var/spool/atrun/jobname
with potentially fatal consequences.
I see two possibilities to counter this:
- put a 'signature' into an at file, i.e. have it start with
#!/bin/sh
# atrun user=20 group=30
Let atrun abort if the numeric userid and groupid on the script
don't match the numbers on the file. I'm currently working on this.
- Check wether we're currently trying to execute a symbolic link.
This is hard to get right without races, and I'd like opinions on
that.
What I'm currently thinking of is:
fd = open(atrunfile, O_RDONLY);
fstat(fd,&buf);
lstat(atrunfile,&lbuf);
if (S_ISLINK(lbuf.st_mode)) {
/* abort and general mayhem here - somebody is trying to trick
* us into executing a symbolic link
*/
}
if ((lbuf.st_dev !=buf.st_dev ) || (lbuf.st_ino !=buf.st_ino) ||
(lbuf.st_uid !=buf.st_uid ) || (lbuf.st_gid !=buf.st_gid) ||
(lbuf.st_size!=buf.st_size)) {
/* Apparently, somebody changed the file from under us between
* the fstat and lstat calls. DANGER!
*/
}
...
pass the file descriptor fd to /bin/sh as stdin
Question is: is the second if a secure test, or can anybody think of
conditions where a cracker might get get past it?
The best solution would be to find out, via the lstat call, wether
the open actually refereed to a symbolic link. Alternatively,
being able to specify a O_NONSYM flag to the open call would also
help.
Comments?
--
Thomas Koenig, Thomas.Koenig@ciw.uni-karlsruhe.de, ig25@dkauni2.bitnet.
The joy of engineering is to find a straight line on a double
logarithmic diagram.
